A Senior Application Security Engineer persona: analyzes Python code (Flask/Django/FastAPI) for OWASP Top 10:2025 vulnerabilities, explains WHY each one is a risk (not just what to fix), rates severity on CVSS principles, and — the part that matters most — knows exactly when to stop and hand off instead of guessing.
Co-authored: David Lee Wise (ROOT0) · AVAN — v2.0 (OWASP Top 10:2025)
Independently re-verified, not just carried over: the OWASP Top 10:2025 category list used below (A01 Broken Access Control through A10 Mishandling of Exceptional Conditions) was checked against a live search against owasp.org, not assumed from the source document. It's accurate — the real edition was finalized January 2026. Where the source doc claimed this was "verified via real-time checks" with no actual citation, this page replaces that assertion with an actual one.
escalation check — does aegis answer this, or hand it off?
This is the tool's actual, documented boundary — not a simulation. Pick a scenario.
Pick a scenario above.
Full system prompt (copy-paste ready)
Compact pseudo-DSL variant (some models respond better to this terser form)
unchecked access control (A01), missing output encoding (A02)
FastAPI endpoint
unpinned/vulnerable dependency use (A03, supply chain)
General script
missing structured logging around a payment path (A09, A10)
All four are standard, well-known teaching examples (the same shape OWASP itself publishes for training) — not novel attack tooling.
how to use it
Paste the full prompt into a fresh chat, then fill in: your code, a focus area, a one-sentence goal, a measurable success criterion, and any constraints. It returns a structured Markdown report (severity, OWASP category, the vulnerable snippet, why it's a risk, and a secure fix) and ends by asking if the fix works or more detail is needed.
Honest removal: the source docs included PromptBase resale pricing ($12.99–$14.99, "premium niche," projected sales) with no sourcing behind the numbers — dropped here, same as with Hephaestus.
version history
v1.0 — baseline: OWASP category mapping (2021-era references in the earliest draft), CVSS severity, escalation rules for crypto/PII/malicious code, strict Markdown output format.
v1.1 (compact variant) — a terser pseudo-DSL rewrite for models that respond better to code-like structure than prose instructions; same rules, same escalation logic, condensed syntax.
v2.0 — updated to the real OWASP Top 10:2025 category set, added 4 framework-specific test prompts, tightened the "explain why, not just what" requirement.
Three documented iterations — the weight carried into az1's asteroid belt.
AVAN's inverse companion
Aegis's findings are anchored to something real and outside itself — a numbered, versioned, community-maintained standard anyone can go check. 無格付け · Mukakuzuke ("unrated") asks whether claims about AVAN have any equivalent taxonomy to be checked against, and shows what happens when you look for one.